SAP on Azure

Overview

Running SAP workloads on Microsoft Azure demands more than raw compute power — it requires a precisely architected, security-hardened, and SAP-certified infrastructure that can scale with your business while remaining operations-ready from day one.

Our SAP on Azure service offering covers the full infrastructure lifecycle: from initial architecture and automated provisioning to connectivity, monitoring, backup, and go-live readiness assessment. Whether you are migrating an existing SAP landscape, deploying a greenfield environment, or connecting your on-premises SAP estate to SAP RISE on Azure, we deliver infrastructure that is built to SAP’s and Microsoft’s enterprise best practices.

Service Modules

Our SAP on Azure offering is structured into six focused service modules. They can be engaged individually or as a complete end-to-end delivery.

1. Custom VM Deployment for SAP Workloads

We design and deploy Azure Virtual Machines that are purpose-built for your specific workload requirements — whether that is SAP HANA, SAP NetWeaver (ABAP/Java), SAP S/4HANA, or SAP Application Server instances.

What we deliver:

• Selection and sizing of SAP-certified VM families (M-series, Mv2, E-series, D-series) based on your benchmarks and HANA memory requirements
• Deployment of VMs across Availability Zones or Availability Sets for high availability
• Configuration of accelerated networking, write accelerator, and Ultra Disk for performance-critical HANA workloads
• OS baseline configuration (SLES for SAP, RHEL for SAP) aligned with SAP Notes and Azure-specific OS tuning guidelines
• SAP-specific kernel parameter configuration and storage layout (data, log, shared, backup volumes) per SAP HANA TDI guidelines
• VM proximity placement groups for latency-sensitive application/database pairs

2. Infrastructure Provisioning via Terraform

All Azure infrastructure is provisioned using Terraform — enabling repeatable, auditable, and version-controlled deployments that eliminate configuration drift and reduce deployment time from days to hours.

What we deliver:

• Modular Terraform codebase following the SAP on Azure Terraform module structure (compatible with SAP Deployment Automation Framework where applicable)
• Infrastructure-as-Code covering: resource groups, VNets, subnets, NSGs, route tables, VMs, managed disks, load balancers, NAT gateways, private endpoints, and DNS zones
• Environment-specific variable files (dev, qas, prod) with a shared module library for consistent deployments across landscapes
• Remote state management via Azure Storage Account with state locking
• Integration with Azure DevOps or GitHub Actions for CI/CD-driven infrastructure pipelines
• Terraform plan/apply workflows with approval gates for production changes
• Full documentation of all modules and input variables

Sample module structure:

module "sap_hana_vm" {
  source              = "./modules/sap-vm"
  vm_name             = "saphanap01"
  vm_size             = "Standard_M64s_v2"
  availability_zone   = 1
  os_disk_type        = "Premium_LRS"
  data_disk_count     = 4
  data_disk_size_gb   = 512
  subnet_id           = module.networking.db_subnet_id
  proximity_group_id  = azurerm_proximity_placement_group.sap.id
}

3. Network Architecture: Subnets & Load Balancers

SAP landscapes on Azure require a carefully segmented network topology to enforce security boundaries, enable high availability, and ensure SAP-compliant traffic flows between application, database, and management tiers.

Subnet Design:

We design and implement a dedicated VNet topology with purpose-specific subnets:

Load Balancer Configuration:

Azure Internal Load Balancers are the backbone of SAP high availability on Azure. We configure:

• ASCS/ERS cluster ILB: Frontend IP, backend pool, and HA port rules for the SAP Central Services cluster
• HANA System Replication ILB: Frontend IP for HSR primary/secondary failover with correct health probe (TCP 625xx)
• Floating IP (Direct Server Return) enabled on all SAP ILB rules — a mandatory requirement for SAP on Azure
• NSG rules scoped per subnet to allow only required SAP ports (RFC, HTTP/S, HANA, database dialogs) while blocking all other inbound traffic

4. Azure Landing Zone Connectivity with SAP RISE

SAP RISE (SAP S/4HANA Cloud, private edition) runs in an SAP-managed Azure subscription. Connecting your corporate Azure Landing Zone to the SAP RISE environment requires a carefully orchestrated peering and routing setup that spans subscription boundaries and respects SAP’s managed network perimeter.

What we deliver:

• Architecture design for Landing Zone ↔ SAP RISE connectivity following SAP’s published integration guide
• Configuration of VNet Peering between your corporate Azure VNet and the SAP-managed RISE VNet (initiated from the customer side; SAP approves from theirs)
• Routing table design to ensure RFC, HTTP/S, and BTP traffic is correctly forwarded across the peering boundary
• NSG rule set aligned with SAP RISE’s required inbound/outbound port matrix
• Private DNS zone configuration for SAP RISE hostnames, ensuring name resolution works across the peering
• Connectivity validation using Azure Network Watcher and SAP’s provided connection test tooling
• Integration with on-premises connectivity via ExpressRoute or Site-to-Site VPN, ensuring hybrid access to RISE from corporate data centers

Connectivity topology overview:

Corporate Azure Subscription          SAP-Managed Subscription (RISE)
┌─────────────────────────┐            ┌──────────────────────────────┐
│  Hub VNet (Landing Zone)│ ◄─Peering─►│  SAP RISE VNet               │
│  ├── Firewall / NVA     │            │  ├── SAP S/4HANA ABAP        │
│  ├── ExpressRoute GW    │            │  ├── SAP HANA DB             │
│  └── DNS Resolver       │            │  └── SAP BTP Connectivity    │
└────────────┬────────────┘            └──────────────────────────────┘
             │ ExpressRoute
     On-Premises Data Center

5. Azure Center for SAP Solutions (ACSS)

Azure Center for SAP Solutions (ACSS) is Microsoft’s native Azure service for deploying, managing, and monitoring SAP workloads directly from the Azure portal. It provides a unified control plane for your entire SAP landscape, with built-in quality checks and SAP system inventory.

What we deliver:

• Registration of existing SAP systems in ACSS (Virtual Instance for SAP — VIS) for centralized visibility
• New SAP deployments via ACSS using the guided infrastructure deployment wizard, ensuring Microsoft’s SAP best practices are applied automatically
• Configuration of ACSS-native monitoring: SAP system health, HANA database metrics, OS-level telemetry — all surfaced in Azure Monitor
• Setup of ACSS Quality Checks to continuously validate your SAP infrastructure against SAP and Azure best practices (VM sizing, storage configuration, HA configuration, OS settings)
• Integration of ACSS with Azure workbooks and dashboards for SAP Basis and operations teams
• Configuration of SAP system stop/start automation via ACSS to optimize compute costs in non-production landscapes

6. Go-Live Assessment of Azure Infrastructure

Before any SAP system goes live on Azure, a structured infrastructure readiness assessment is essential. Our go-live assessment follows the SAP on Azure Go-Live Checklist and Microsoft’s SAP readiness framework to validate that every layer of the infrastructure is production-ready.

Assessment scope:

Deliverables:

• Written assessment report with findings categorized as Blocker / Major / Minor
• Remediation guidance with Azure CLI / Terraform snippets for each finding
• Executive summary suitable for go/no-go decision-making
• Optional: remediation sprint to close all blocker and major findings before go-live

7. NetApp Volumes & Backup and Recovery

Azure NetApp Files (ANF)

Azure NetApp Files is the recommended shared storage solution for SAP HANA scale-out, SAP transport directories, and high-performance NFS shares on Azure. We configure ANF to meet SAP’s strict latency and throughput requirements.

What we deliver:

• NetApp Account and Capacity Pool setup (Standard / Premium / Ultra service levels based on workload requirements)
• Volume creation and configuration for SAP use cases:
  • /hana/shared — shared NFS volume for HANA scale-out nodes
  • /hana/data and /hana/log — NFS volumes with Ultra service level for performance-critical deployments
  • /usr/sap and transport directories for application server sharing
• ANF delegated subnet configuration and VNet integration
• Snapshot policy configuration for application-consistent point-in-time recovery
• ANF Cross-Region Replication (CRR) setup for disaster recovery replication to a secondary Azure region
• Performance benchmarking of ANF volumes post-deployment using SAP HANA storage benchmark tools

Backup and Recovery

A robust backup strategy is non-negotiable for SAP workloads. We design and implement a multi-layer backup architecture on Azure.

What we deliver:

• Azure Backup for SAP HANA: configuration of the HANA Backint interface with Azure Backup, including full, incremental, and log backup schedules
• Azure Backup for VMs: policy-based VM snapshots for OS and data disks with configurable retention (daily, weekly, monthly, yearly)
• Recovery Services Vault: provisioning and configuration of the vault, backup policies, and soft-delete settings
• ANF Snapshot-based recovery: configuration of scheduled ANF snapshots and validation of volume restore procedures
• Backup monitoring and alerting via Azure Monitor and Backup Center dashboards
• Documented and tested recovery runbook covering: HANA point-in-time recovery, VM restore, and ANF volume restore procedures
• Recovery Time Objective (RTO) and Recovery Point Objective (RPO) validation against agreed SLAs

Engagement Model

Our SAP on Azure services can be engaged in three ways:

Technology Stack

References

• SAP on Azure — Microsoft Documentation 
• Azure Center for SAP Solutions 
• SAP HANA on Azure VM Storage Configurations 
• SAP RISE Integration with Azure Landing Zones 
• Azure NetApp Files for SAP HANA 
• Azure Backup for SAP HANA 
• SAP on Azure Terraform Modules 
• SAP Certified Infrastructure on Azure